Policy objects are displayed in an UNKNOWN state due to APH_TN certificate
search cancel

Policy objects are displayed in an UNKNOWN state due to APH_TN certificate

book

Article ID: 434751

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • In the NSX Manager UI, objects are displayed as "UNKNOWN" accompanied by the following error. This issue can also occur with components such as Tier-0, VRF, Edge Clusters, Firewalls, and VPNs.
    Unable to collect status for '1' transport nodes."



  • The following messages are logged in /var/log/proton/nsxapi.log on the NSX Manager:
    <timestamp>  INFO INTENT-PROCESSOR-CONSOLIDATED-SERVICE-0 ConsolidatedRealizedStateServiceImpl <pid> POLICY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Updated consolidated state for intentPath:/infra/settings/firewall/security/intrusion-services/signature-versions/DEFAULT/compressed-signature/DEFAULT to:UNKNOWN
<timestamp>  INFO INTENT-PROCESSOR-CONSOLIDATED-SERVICE-1 ConsolidatedRealizedStateServiceImpl <pid> POLICY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Updated consolidated state for intentPath:/infra/sites/default/enforcement-points/default/edge-clusters/<uuid> to:UNKNOWN
<timestamp>  INFO INTENT-PROCESSOR-CONSOLIDATED-SERVICE-0 ConsolidatedRealizedStateServiceImpl <pid> POLICY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Updated consolidated state for intentPath:/infra/domains/default/gateway-policies/Policy_Default_Infra-tier1-<name> to:UNKNOWN
<timestamp>  INFO INTENT-PROCESSOR-CONSOLIDATED-SERVICE-1 ConsolidatedRealizedStateServiceImpl <pid> POLICY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Updated consolidated state for intentPath:/infra/tier-1s/<name> to:UNKNOWN

     

  • The Common Name (CN) of the APH_TN certificate applied to each NSX Manager is not unique. You can verify this by logging into any NSX Manager via CLI as root and running the following command. The example below indicates an issue because all CNs are identical.
    root@manager:~# curl -sk -u 'admin:<password>' https://localhost/api/v1/trust-management/certificates | python3 -c 'import sys,json,subprocess; data=json.load(sys.stdin);
for r in data.get("results", []):
    if any("APH_TN" in u.get("service_types", []) for u in r.get("used_by", [])):
        p=subprocess.run(["openssl","x509","-noout","-subject"], input=r["pem_encoded"], text=True, capture_output=True)
        print(r.get("id"), p.stdout.strip())
'
<cert#1_uuid> subject=C = US, CN = VMware-NSX-ApplProxyHub
<cert#2_uuid> subject=C = US, CN = VMware-NSX-ApplProxyHub
<cert#3_uuid> subject=C = US, CN = VMware-NSX-ApplProxyHub

     

  • The following error regarding the above certificates is logged in /var/log/vmware/appl-proxy-rpc.log on each NSX Manager.
    <timestamp> <manager_name> NSX <pid> - [nsx@6876 comp="nsx-manager" subcomp="appl-proxy" s2comp="nsx-net" tid="<tid>" level="ERROR" errorCode="NET1111"] Certificate validation failed: 18-self-signed certificate <snip>

Environment

VMware NSX

Cause

Due to the issue described in KB#373270, an internal processing error occurs, which prevents the system from properly recognizing the state of the policy objects.

Resolution

Update the APH_TN certificate by following the steps outlined in the Resolution section of KB#373270.

Additional Information

KB#373270 : After replacing APH-TN or APH-AR certificates, connections between Manager nodes or between GM and LM are disconnected

Powered by Wolken Software